HIPAA AgentHIPAA Agent
Deploy Your Agent
Independently Verifiable

Trust Center

Zero-trust. Zero-PHI. Everything is verifiable on-chain or via public API. We built HIPAA Agent so you never have to take our word for it.

Verify on Blockchain →View Reputation Data

Zero-PHI Architecture

Patient data never enters our system. Here is exactly what flows through.

NPI Number
Public Registry
Infrastructure Scan
Dedicated VPS
Security Findings
76 Finding Types
Compliance Grade
A through F

PHI never enters our system. We scan websites, DNS records, email configurations, SSL certificates, and network infrastructure only. No patient data is collected, processed, or stored at any point in our pipeline.

Encryption

In Transit

TLS 1.3 enforced on all connections
HSTS preload with includeSubDomains
Certificate pinning on API endpoints

At Rest

AES-256 encryption via Supabase (PostgreSQL)
Fernet symmetric encryption on VPS temp files
Encrypted backups with point-in-time recovery

Blockchain Anchoring

Compliance records are anchored on a public blockchain. No trust required.

FrequencyDaily at 2:00 AM UTC
AlgorithmSHA-256 root hash of all audit events
BlockchainBase (Ethereum L2 by Coinbase)
Transaction0 ETH self-transfer with hash in data field
Cost per anchor~$0.001
VerificationGET /api/verify/anchor/{date}
Learn more →View on Basescan →

Cryptographic Attestations

Every score, grade, and scan result is cryptographically signed.

Ed25519 Digital Signatures

All reputation data — scores, grades, scan results, and metrics — is signed with Ed25519 elliptic curve signatures. The public key is available via API so anyone can independently verify that data originated from HIPAA Agent and has not been tampered with.

AlgorithmEd25519 (Curve25519)
Key size256-bit
Public keyGET /api/reputation (included in response)
Signed dataScores, grades, scan results, metrics

SHA-256 Hash Chain

Per-NPI immutable audit trail. Each event is chained to the previous.

01

Genesis Block

When a practice is first scanned, a genesis block is created with a unique SHA-256 hash. This is the root of the practice's audit chain.

02

Chained Events

Every subsequent event — scan, finding, grade change, report delivery — includes the previous event's hash in its own hash computation, creating an unbreakable chain.

03

Tamper Detection

Modifying any event invalidates every hash that follows it. Integrity verification is instant: recompute and compare.

View full audit trail documentation →

PHI Detection Layer

Active defense against accidental PHI exposure. Every request is scanned.

Automatic PHI Rejection

Every API request is scanned for 18 HIPAA-defined PHI identifiers. If PHI is detected, the request is immediately rejected with a PHI_DETECTED error. The event is logged to the security_events table.

Developer tool: POST /api/security/phi-check

18 PHI Identifiers Scanned

Names
Addresses
Dates (birth, admission, discharge, death)
Phone numbers
Fax numbers
Email addresses
SSN
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers
Device identifiers
Web URLs
IP addresses
Biometric identifiers
Full-face photographs
Any other unique identifier

Access Controls

Role-based access, granular scopes, and multi-factor authentication.

Role-Based Access Control

12 OAuth2 scopes control access to every resource. API keys are tiered: free, startup, professional, and platform.

scan:readscan:writefindings:readfindings:writereport:readreport:generatebreach:readreputation:readaudit:readpolicy:readpolicy:writeadmin:all

Authentication

TOTP-based multi-factor authentication
Session timeouts with auto-logout
Magic link passwordless login
Bearer token API authentication
Granular per-resource permissions

Infrastructure

Vercel Pro

Next.js hosting, global edge network, automatic DDoS protection, zero-config SSL

Hetzner CCX23

Dedicated VPS for scanning operations, EU-grade privacy standards, isolated from application layer

Supabase

PostgreSQL with Row Level Security, automated encrypted backups, real-time audit logging

Resend

Transactional email with DKIM, SPF, and DMARC authentication on all outbound messages

Uptime & Monitoring

99.8%
Historical uptime
Health endpoint/api/health (public, no auth)
Cron monitoringAutomated health checks every 5 minutes
Alert systemImmediate notification on failure detection
RecoveryAuto-restart with exponential backoff

Incident Response

Contact & Response

Report security concerns to security@hipaaagent.ai
72-hour acknowledgment on all reports
Responsible disclosure welcome

Responsible Disclosure

Safe Harbor for Security Researchers

We welcome good-faith security research. If you discover a vulnerability in HIPAA Agent, we want to hear about it and will work with you to resolve it responsibly.

Report vulnerabilities to security@hipaaagent.ai
Response within 72 hours
No legal action for good-faith security research
Coordinated disclosure timeline agreed upon together
Credit given to researchers upon request

Verify Our Claims

Everything on this page is independently verifiable. Check the blockchain anchors, verify the cryptographic signatures, or hit the health endpoint right now.

Verify AnchorsVerify SignaturesCheck Uptime